On Wednesday, social media service LinkedIn confirmed reports that the service had been hacked and approximately 6.5 million user passwords had been stolen.

By Samuel Greengard

The security hits just keep on coming. On Wednesday, social
media service LinkedIn confirmed reports that the service had been hacked and
approximately 6.5 million user passwords had been stolen. "We can confirm
that some of the passwords that were compromised correspond to LinkedIn
accounts," wrote LinkedIn director Vicente Silveira in a blog post.

Yet, remarkably, LinkedIn did not post a banner or alert on
the site to warn its users. Presumably, they had to find out about the breach
via the news media, colleagues or other sources.

Members with accounts affected by the breach will find that
their passwords no longer work. LinkedIn has invalidated these passwords, and
the company will send out instructions--without a link--on how to reset the
passwords, Silveira noted. Those affected will also receive a second e-mail
from the company's customer service department providing more information about
the event—as well as about security best practices.

Aaron Higbee, CTO and co-founder of PhishMe, stated in a
blog post on Wednesday that forcing those with compromised accounts to reset
their passwords is the right approach. On the other hand, if LinkedIn had
followed in the footsteps of Internet retailer Zappos and allowed users to log
into accounts and reset passwords on their own, a full-fledged disaster could
have ensued, he said.

Security firm ESET reports that the hack appears to have
originated in Russia, and the passwords, posted on the Internet by the hacker
as proof of the breach, appeared in the encrypted (secure hashed algorithm)
SHA1 format that LinkedIn used for its database.

Particularly disturbing, notes Cameron Camp, security
researcher at ESET, is the fact that "people put real professional
information on the site. It's not just what party they plan on attending."
Moreover, LinkedIn "has the aggregate effect of garnering a form of peer
review on what you post about yourself … mess with somebody's professional
profile and you're messing with their life," he adds.

The security breakdown is also troubling on another level.
"This breach is significant because it shows that having a strong
password, though important, is irrelevant if enterprises don't protect them
properly," states Rob Rachwald, director of security strategy for Imperva.
"Enterprises must be much more diligent about implementing a strong
password architecture."

Rachwald recommends that LinkedIn users change their
passwords immediately--particularly if the same password is used for other
sites. He says it's also critical to be on the lookout for spam and phishing
attempts involving LinkedIn. In fact, ESET discovered that one such scam was
already in circulation by Wednesday afternoon. The email, claiming to be from
LinkedIn, asks recipients to click on a link to confirm their email address.

More importantly, enterprises must use better security
methods to protect passwords. LinkedIn claims that it has "just
recently" adopted more stringent security procedures, including hashing
and salting its user database.

Rachwald says that salting—which "randomly adds
characters to a password so that even if a password database is breached, the
correct password can't be accessed"—is an IT best practice that cannot be
overlooked. "Salting, on top of encryption, makes it very hard for a
hacker to deduce your password," he says.

Concludes ESET’s Camp: "Users have entrusted LinkedIn
with keeping droves of sensitive data and presumed that it was taking
commensurate steps to protect it. This worries some who feel that if LinkedIn
can get hacked, who can be safe?